ISO/IEC 27799

What’s In This
Standard for Healthcare IT Managers ?

Even
as European healthcare IT professionals brace themselves to understand the
shifting contours of the emerging e-Health wave and cope with its implications,
regulatory developments in yet another sphere are appearing on the horizon.

An Emerging Standard

Officially,
the ISO/IEC 27799 standard is known as “Health informatics – Information
security management in health using ISO/IEC 17799”. At the time of HITM going to press, it is officially classified as
being “under development”.

The ISO
27000 series – of which 27799 will form another new facet – is already used as
a ‘common language’ for best practices in IT security management, and lays the
frameworks for emerging European and international information security laws.
It has moved to the top of the executive agenda after the growth in global compliance
requirements, above all in the shape of the 2002 US Sarbanes-Oxley Act, which
followed the gush of corporate and accounting scandals at Enron, Tyco International
and WorldCom earlier in the decade.

Healthcare Faects Driven by Wider
Business Concerns, Scandals

This, in
turn, led to a rapid rise in the profile of previous healthcare sector-specific
initiatives such as HIPAA (the Health Insurance Portability and Accountability
Act), which was enacted in 1996. Although, HIPAA was aimed at providing job
security in the US health sector, the Act’s Title II (known as Administrative
Simplification provisions) covers standards for electronic health care
transactions, alongside national identifiers for providers, health insurance
plans and employers. Crucially, the Administrative Simplification provisions also
address the security and privacy of health data.

Personal Certifications: Proactive
or Defensive

Such an
environment evidently gives healthcare IT professionals a strong motive to
pursue certifications like CISSP (Certified Information Systems Security Professional),
which is itself based on another ISO standard (17024). They have also provided
senior managers at healthcare institutions the incentive to move information security
to the top of their agendas. In theory, ISO/IEC 27799 is designed to furnish a
“minimum set of requirements” to provide adequate information security in healthcare,
in terms of its integrity and availability. However, it is also directed at
protecting personal health information –which is a relatively ‘soft’ but
nonetheless crucial objective within the panoply of emerging e-Health rules.

ISO/IEC 27799: Who and What

ISO/IEC
27799 is being developed by ISO committee TC215 (see box), which is separate
from the SC27 committee mandated with the development of other ISO 27000 standards.
This has allegedly led to inefficiencies (such as duplication, lack of fit and
clarity) as well as personal frictions. The Secretariat is US-led, which also
controls two of eight working groups. Of the remainder, one still lacks a
convenor, while the others are split as follows: Canada (two), Australia (one),
Netherlands and Germany (one each).

Pocket Pad is a 7" clinical handheld mobile computing platform designed especially for use in mobile healthcare and medical equipment applications. It delivers high-performance with an Intel® Atom™ processor Z series processor. Pocket Pad, with P-cap...